Plan Maintenance

Business organisation Continuity and Disaster Recovery Overview

Susan Snedaker , Chris Rima , in Business Continuity and Disaster Recovery Planning for IT Professionals (Second Edition), 2014

Programme maintenance

Finally, program maintenance is the final step in the BC/DR planning process, and in many companies, it is "last and to the lowest degree." Without a programme to maintain your programme, it will become just another project certificate on a file server or sitting in a folder on a shelf. If information technology doesn't go maintained, updated, and revalidated from time to fourth dimension, you lot'll find that the plan may be rendered useless if a disaster does strike. Maintenance doesn't take to be an enormous task, only information technology is ane that must be done. Most chiefly, there must be an organizational commitment to do so and someone within the company to own information technology. We'll look at this in Chapter 10 and provide some tips on how to incorporate these tasks into your day-to-day operations to reduce the ongoing brunt of programme maintenance.

Looking Ahead…

IT, Security, Disasters…and the Law

Ane of the stiff trends in It and IT security is the increased demand that companies secure individual data such as social security numbers, credit carte du jour numbers, abode addresses and phone numbers, financial data, medical data, and more. As the corporeality of electronic data collected and stored increases, and then too does the risk to individuals. Recent headlines are rife with examples of personal information existence lost, stolen, hacked, or modified. Companies can no longer say "nosotros did our best" without proving that their all-time was at to the lowest degree upward to current industry standards. Looking ahead, companies can look three major trends to impact how they manage IT security. These standards volition use during normal business operations and emergencies—companies won't exist able to easily blame breaches and theft on emergencies that were foreseeable and manageable, every bit is the case with many of the disaster events listed earlier in this affiliate. These three key trends, which yous should monitor for your IT organization, are:

The continuing expansion of the requirement to provide Information technology (and data) security

The emergence of a standard definition of "reasonable security"

The imposition of the duty to notify after a security breach

Consumers and regulators akin are raising their expectations regarding IT security, and companies are both legally and ethically bound to brand serious, constructive efforts to safeguard private information. Emergency and disaster conditions may soften those requirements simply a bit but don't assume your company volition be able to hide behind a disaster or event if data are lost, stolen, mishandled, or inappropriately disclosed. If your firm deals with information that are sensitive, confidential, or private in nature, consult with your firm's legal counsel to sympathize fully the legal and regulatory requirements your firm will be subject to during a crunch, emergency, or disaster. In Affiliate two and the case study that follows it, we provide examples of the need for due diligence in handling electronic data regardless of whether you're facing normal operational challenges or a major disaster.

Read total chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780124105263000015

Business Continuity/Disaster Recovery Plan Development

Susan Snedaker , Chris Rima , in Business organisation Continuity and Disaster Recovery Planning for IT Professionals (2d Edition), 2014

Phases of business continuity and disaster recovery

The various phases of the BC/DR cycle include activation, disaster recovery, business continuity, and maintenance/review. Plan maintenance and review occurs periodically, regardless of whether or not the program has always been activated.

The activation stage occurs when a disaster or business disruption occurs, and it is determined that the program should be implemented. Articulate directives on how and when to activate the program should be included.

The disaster recovery phase includes the tasks that must be undertaken to stop the affect of the event and to begin recovery efforts. This includes harm cess, take a chance cess, salvage operations, as well as the evaluation of advisable alternatives and solutions.

The business continuity phase entails the activities required to restore the company's business operations. This assumes disaster recovery has been completed and that the business is upward and running in a limited manner. This is non all the same business concern as usual and may involve the employ of temporary solutions and work-arounds.

Maintenance and review are similar phases. Maintenance requires a review of the program from time to time to ensure everything is still electric current and that changes to the visitor or its infrastructure are reflected in the plan.

Review occurs after the program has been activated and implemented. Gathering lessons learned and updating the plan with new information gleaned from the feel aid the organization avert making the same mistake twice and help the system larn from the feel.

Read total chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780124105263000076

31st European Symposium on Computer Aided Process Technology

Teemu J. Ikonen , Iiro Harjunkoski , in Computer Aided Chemical Engineering, 2021

1 Introduction

The components of an industrial production plant dethrone over time, reducing the overall reliability. An unexpected failure in a critical component may cause significant production losses. In gild to ameliorate the reliability of the institute, the operators plan maintenance shutdowns, during which degraded components are either replaced or repaired. However, as modern production plants often contain thousands of replaceable/repairable components, the operators are rarely able to maintain all the components. Identifying the all-time subset of maintenance actions, subject to time and cost, is referred to equally selective maintenance optimization. In the corresponding literature, the component lifetimes are typically assumed to follow either the Weibull or exponential distribution with given parameters without directly considering any lifetime data ( Cao et al., 2018). Thus, we recently performed a selective maintenance optimization written report that links lifetime data into selective maintenance optimization with the focus on the bathtub-shaped failure rates (Ikonen et al., 2020).

The bathtub-shaped failure rate is a combination of three contemporaneous failure modes: a decreasing babe mortality rate, a constant random failure rate, and an increasing failure rate due to degradation. The literature is fairly established in terms of failure distributions of such models. However, the plumbing fixtures of model parameters to lifetime data is often performed inadequately. While some authors explicitly maximize the log-likelihood function (east.one thousand. by PROC NLMIXED in SAS or MaxBFGS in the Ox language), a commonly used approach is to observe a point in the parameter infinite where the partial derivatives of the log-likelihood are zip. This arroyo is, for case, performed past Xie et al. (2002), El-Gohary et al. (2013), and Sarhan and Apaloo (2013) when fitting their failure models to the widely studied lifetime dataset by Aarset (1987). Equally the log-likelihood functions of the models are non-convex, the resulting fitting may well represent to a local optimum, or fifty-fifty a saddle bespeak.

In this paper, we showtime prove that better fits, i.e., greater log-likelihoods, tin exist found to the lifetime dataset by Aarset (1987) for the failure models proposed in the three abovementioned studies by using the Nelder-Mead algorithm with adaptive parameters (Gao and Han, 2012). Second, we demonstrate how the improved fitting of the failure model by Sarhan and Apaloo (2013) affects the decision-making on a selective maintenance optimization problem.

Read full affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B9780323885065500966

BC/DR Plan Maintenance

Susan Snedaker , Chris Rima , in Business organisation Continuity and Disaster Recovery Planning for It Professionals (Second Edition), 2014

Strategies for managing change

Monitoring change in the organization tin can be a challenging chore. Changes to personnel, processes, and technology create abiding flux in organizations.

Developing a change notification process dissever from a alter request process may reduce resistance to BC/DR plan maintenance activities.

Y'all should develop a methodology for evaluating and incorporating alter into the plan. The process should include evaluation criteria and steps for prioritizing, assessing, and incorporating change.

Changes that are incorporated should trigger a programme revision and squad notification that a new program version is bachelor. Changes may as well trigger the demand for additional testing or grooming. If so, this should be flagged and advisable activities should be scheduled.

Changes that are delayed or rejected should be noted and the modify requestor should be notified of the conclusion and the rationale for the decision.

Read full affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B9780124105263000106

Contingency Planning

Stephen D. Gantz , Daniel R. Philpott , in FISMA and the Risk Management Framework, 2013

Develop Contingency Plan

The development of the data system contingency plan (ISCP) is both a discrete footstep in the contingency planning process and an integral part of each of the other contingency planning activities. The ISCP references contingency planning policy, includes the results of business concern impact assay, and documents contingency strategies, security controls selected and implemented for contingency planning, testing and training information, and ongoing contingency plan maintenance procedures. The content and structure Special Publication 800-34 specifies for the ISCP are described in the post-obit section of this chapter. The ISCP defines roles, responsibilities, teams, and contingency procedures associated with restoring an information system following a disruption. The ISCP also documents technical characteristics of the system and its operating environment designed to back up contingency operations, including system-specific and common controls. The information provided in contingency plans should offering sufficient detail to enable contingency teams to execute all necessary processes and activities when the ISCP is activated. Special Publication 800-34 notes that contingency plans need to residuum item with flexibility, as more detailed plans with greater levels of specificity may be less versatile, scalable, or adaptable to dissimilar types of events leading to outages [43].

Read full affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B9781597496414000151

Accelerating data acquisition process in the pharmaceutical industry using Internet of Things

T. Poongodi , ... Balamurugan Balusamy , in An Industrial IoT Approach for Pharmaceutical Industry Growth, 2020

Abstract

The Internet of Things (IoT) provides improved opportunities for the pharmaceutical industry including preventive maintenance of equipment, good command of drug manufacturing, and enhanced supply concatenation direction. In particular, IoT sensors activate optimal conditions to ensure flawless equipment operation, handle biomaterials and chemicals, and preclude fraudulent drug activities. In drug manufacturing, the potential pitfalls for an asset failure due to several causes such as excessive voltage, mechanical damage, chemical deterioration, lack of maintenance, and unstable environment are identified. Hence, continuous real-time monitoring systems are required in pharmaceutical industries to prevent risks regarding unplanned equipment shutdown. The IoT continuously updates the condition information on the equipment components such every bit pressure gauges, air compressors, heat exchangers, sterilizers, vacuum pumps, and multimedia filters. The data acquired past the sensors tin be utilized to prevent critical issues, minimize reanimation, plan maintenance and repair, and ensure workplace prophylactic. The caused information can provide a consummate sketch of the equipment utilization. This summary assists in generating an overall report that in plough helps in reducing waste and optimizing performance.

The diverse environmental weather play a significant role in drug manufacturing and, fortunately, the IoT devices enable piece of cake handling of such weather. The IoT-based pharmaceutical industry creates transparency in drug production and the maintenance environs. The different IoT sensors such as humidity, light, temperature, CO2 level, and radiation are used to enable continuous monitoring in a existent-time environment. The caused information can exist continuously updated, enabling rapid environment overview and appropriate measures tin can be taken immediately. In the instance of any disaster, an alarm is given to staff members for timely evacuation. The rapid development of IoT technology connects unlike smart objects that enable data interoperability for healthcare applications in the pharmaceutical industries. The efficient IoT data-accessing method supports timely data access in a distributed heterogeneous environment. Information technology is anticipated that the information generated per second by every human being approximates to 1.7   MB and the volume of data doubles every 2 years, thereby information technology was forecast to reach 40   ZB past 2020. This affiliate deals with the pregnant role of IoT the in pharmaceutical industry and the upstanding problems and countermeasures of accessing heterogeneous data in healthcare services.

Read full chapter

URL:

https://world wide web.sciencedirect.com/science/commodity/pii/B978012821326100005X

Domain eight

Eric Conrad , ... Joshua Feldman , in CISSP Written report Guide (Second Edition), 2012

Project initiation

In social club to develop the BCP/DRP, the scope of the project must be determined and agreed upon. This involves seven distinct milestones, equally listed below [nine]:

Develop the contingency planning policy argument—A formal department or agency policy provides the authority and guidance necessary to develop an effective contingency plan.

Comport the business impact analysis (BIA)—The BIA helps to place and prioritize disquisitional IT systems and components. A template for developing the BIA is also provided to assist the user.

Place preventive controls—Measures taken to reduce the effects of arrangement disruptions tin can increase system availability and reduce contingency lifecycle costs.

Develop recovery strategies—Thorough recovery strategies ensure that the arrangement may be recovered quickly and effectively following a disruption.

Develop an It contingency plan—The contingency plan should contain detailed guidance and procedures for restoring a damaged system.

Plan testing, grooming, and exercises—Testing the plan identifies planning gaps, whereas preparation prepares recovery personnel for plan activation; both activities improve plan effectiveness and overall agency preparedness.

Program maintenance —The plan should be a living document that is updated regularly to remain current with system enhancements.

Implementing software and application recovery tin can exist the most difficult for organizations facing a disaster event. Hardware is relatively easy to obtain. Specific software baselines and configurations with user information tin can be extremely difficult to implement if not planned for before the effect occurs. Figure 9.2 shows the BCP/DRP procedure, actions, and personnel involved with the programme creation and implementation. IT is a major office of whatsoever organizational BCP/DRP, but, as Figure 9.2 shows, information technology is not the merely business for C-level managers. In fact, IT is chosen upon to provide support to those parts of the organization directly fulfilling the business mission. Information technology has particular responsibilities when faced with a disruption in business operations considering the organization's communications depend so heavily on the IT infrastructure. As you review Figure 9.ii, also note that the It BCP/DRP volition have a directly impact on the unabridged arrangement's response during an emergency event. The pinnacle line of Figure 9.2 shows the organizationwide BCP/DRP process; below that is the Information technology BCP/DRP process. You tin see through the arrows how each is connected to the other.

Figure 9.2. The BCP/DRP Procedure.

Management support

It goes without saying that whatever BCP/DRP is worthless without the consent of the upper level direction team. C-level managers must agree to any plan gear up forth and besides must agree to back up the action items listed in the plan if an emergency effect occurs. C-level direction refers to positions within an organization such equally chief executive officer (CEO), principal operating officeholder (COO), primary data officeholder (CIO), and chief financial officer (CFO). C-level managers are of import, peculiarly during a confusing result, because they have enough power and authority to speak for the entire organisation when dealing with outside media and are high enough within the organization to commit resources necessary to move from the disaster into recovery if outside resources are required. This also includes getting agreement for spending the necessary resources to reconstitute the system'due south necessary functionality.

Another reason why C-level management may want to conduct a BCP/DRP project for the arrangement is to identify process improvements and increase efficiency within the organization. Once the BCP/DRP project evolution programme has been completed, direction will be able to determine which portions of the organization are highly productive and volition be enlightened of all of the impacts they have on the balance of the arrangement and how other entities within the organization affect them.

BCP/DRP project manager

The BCP/DRP projection managing director is the primal signal of contact (POC) for ensuring that a BCP/DRP not only is completed but also is routinely tested. This person needs to accept business skills, to be extremely competent, and to be knowledgeable with regard to the organization and its mission, in addition to being a skillful manager and leader in case there is an event that causes the BCP or DRP to be implemented. In most cases, the project manager is the POC for every person inside the system during a crisis.

Organizational skills are necessary to manage such a daunting job, as these are very important, and the project manager must be very organized. The most important quality of the project managing director is that he or she has credibility and enough authorisation within the organization to make important, disquisitional decisions with regard to implementing the BCP/DRP. Surprisingly enough, this person does not need to have in-depth technical skills. Some technical knowledge is required, certainly, but, virtually importantly, the projection manager must have the negotiation and people skills necessary to create and disseminate the BCP/DRP among all the stakeholders within the arrangement.

Edifice the BCP/DRP team

Building the BCP/DRP squad is essential for the organization. The BCP/DRP squad is comprised of those personnel who volition take responsibilities if or when an emergency occurs. Before identification of the BCP/DRP personnel can have place, the continuity planning project team (CPPT) must be assembled. The CPPT is comprised of stakeholders within an arrangement and focuses on identifying who would need to play a role if a specific emergency effect were to occur. This includes people from the human resources section, public relations (PR), It staff, physical security, line managers, essential personnel for total business effectiveness, and anyone else responsible for essential functions. Likewise, depending on the emergency of the event, different people may take to play a different role; for example, in an IT emergency event that simply affected the internal workings of the organization, PR may non have a vital role. Any emergency that affects customers or the general public, however, would require PR's direct involvement.

A difficult issue facing the CPPT is how to handle the manager/employee relationship. In many software and IT-related businesses, employees are "matrixed." A matrixed arrangement leverages the expertise of employees by having them work numerous projects under many unlike direction bondage of control. Suppose employee John Smith is working on four unlike projects for four unlike managers. Who will take responsibility for John in the event of an emergency? These types of questions will be answered by the CPPT. It is the planning organization that finds answers to organizational questions such equally the above example. It should exist understood and planned that, in an emergency situation, people become difficult to manage.

Read total chapter

URL:

https://www.sciencedirect.com/science/commodity/pii/B9781597499613000091

Domain vii: Security Operations (e.g., Foundational Concepts, Investigations, Incident Direction, Disaster Recovery)

Eric Conrad , ... Joshua Feldman , in CISSP Study Guide (Third Edition), 2016

Project Initiation

In social club to develop the BCP/DRP, the scope of the project must be determined and agreed upon. This involves seven distinct milestones [17] as listed below:

1.

Develop the contingency planning policy statement: A formal department or agency policy provides the authority and guidance necessary to develop an effective contingency plan.

ii.

Conduct the business touch assay (BIA): The BIA helps to place and prioritize critical It systems and components. A template for developing the BIA is as well provided to assist the user.

3.

Identify preventive controls: Measures taken to reduce the effects of organisation disruptions can increment system availability and reduce contingency life wheel costs.

4.

Develop recovery strategies: Thorough recovery strategies ensure that the system may be recovered quickly and effectively following a disruption.

5.

Develop an Information technology contingency programme: The contingency plan should contain detailed guidance and procedures for restoring a damaged system.

6.

Plan testing, training, and exercises: Testing the plan identifies planning gaps, whereas training prepares recovery personnel for plan activation; both activities meliorate plan effectiveness and overall agency preparedness.

7.

Plan maintenance : The plan should be a living document that is updated regularly to remain current with arrangement enhancements. [18]

Implementing software and awarding recovery can be the most difficult for organizations facing a disaster event. Hardware is relatively easy to obtain. Specific software baselines and configurations with user data can be extremely hard to implement if not planned for before the event occurs. Figure eight.12 shows the BCP/DRP process, actions, and personnel involved with the programme creation and implementation. It is a major part of any organizational BCP/DRP only, every bit Effigy 8.12 shows, it is non the only concern for C-level managers. In fact, IT is chosen upon to provide support to those parts of the arrangement directly fulfilling the business mission. Information technology has item responsibilities when faced with a disruption in business concern operations because the organization's communications depend so heavily on the IT infrastructure. Equally you review Figure viii.12, as well note that the It BCP/DRP will have a direct impact on the unabridged organization's response during an emergency event. The superlative line of Figure viii.12 shows the organization-wide BCP/DRP procedure; beneath that is the It BCP/DRP process. You can meet through the arrows how each is connected to the other.

Effigy eight.12. The BCP/DRP Process

Management Support

It goes without maxim that any BCP/DRP is worthless without the consent of the upper level management squad. The "C"-level managers must hold to whatsoever program set forth and also must agree to support the action items listed in the plan if an emergency event occurs. C-level management refers to people within an organization similar the main executive officer (CEO), the chief operating officeholder (COO), the main information officeholder (CIO), and the master fiscal officer (CFO). C-level managers are important, especially during a confusing issue, because they have enough power and dominance to speak for the entire organisation when dealing with outside media and are high enough inside the organization to commit resource necessary to move from the disaster into recovery if outside resources are required. This as well includes getting agreement for spending the necessary resources to reconstitute the organization's necessary functionality.

Another reason that the C-level management may want to conduct a BCP/DRP project for the organisation is to identify process improvements and increase efficiency inside the arrangement. Once the BCP/DRP project evolution plan has been completed, the direction will exist able to determine which portions of the arrangement are highly productive and are aware of all of the impacts they have on the rest of the organization and how other entities within the organization affect them.

BCP/DRP Project Manager

The BCP/DRP project manager is the key Point of Contact (POC) for ensuring that a BCP/DRP is not only completed, just also routinely tested. This person needs to have concern skills, be extremely competent and knowledgeable with regard to the arrangement and its mission, and must be a good manager and leader in case there is an event that causes the BCP or DRP to be implemented. In most cases, the project director is the Signal of Contact for every person within the system during a crisis.

Organizational skills are necessary to manage such a daunting task, as these are very important, and the project manager must be very organized. The most important quality of the project managing director is that he/she has credibility and plenty authorization within the organisation to make important, critical decisions with regard to implementing the BCP/DRP. Surprisingly enough, this person does not need to have in-depth technical skills. Instead, some technical noesis is required only, most importantly, the project director needs to accept the negotiation and people skills necessary to create and disseminate the BCP/DRP among all the stakeholders within the organisation.

Building The BCP/DRP Team

Building the BCP/DRP squad is essential for the organization. The BCP/DRP squad comprises those personnel that will accept responsibilities if/when an emergency occurs. Before identification of the BCP/DRP personnel can take place, the Continuity Planning Project Team (CPPT) must be assembled. The CPPT is comprised of stakeholders within an system and focuses on identifying who would need to play a role if a specific emergency event were to occur. This includes people from the homo resources section, public relations (PR), Information technology staff, physical security, line managers, essential personnel for full business effectiveness, and anyone else responsible for essential functions. Also, depending on the type of emergency, different people may have to play a dissimilar role. For example, in an It emergency outcome that only afflicted the internal workings of the organization, PR may not have a vital role. Still, whatsoever emergency that affects customers or the general public would require PR'south straight involvement.

Some difficult issues with regards to planning for the CPPT are how to handle the managing director/employee relationship. In many software and IT-related businesses, employees are "matrixed." A matrixed arrangement leverages the expertise of employees by having them work numerous projects under many different direction chains of command. For example: employee John Smith is working on iv unlike projects for four different managers. Who volition take responsibleness for John in the event of an emergency? These types of questions will exist answered by the CPPT. Information technology is the planning squad that finds answers to organizational questions such every bit the above instance. It should exist understood and planned that, in an emergency state of affairs, people get difficult to manage.

Read full chapter

URL:

https://www.sciencedirect.com/science/commodity/pii/B9780128024379000084

Project Initiation

Susan Snedaker , Chris Rima , in Concern Continuity and Disaster Recovery Planning for Information technology Professionals (2nd Edition), 2014

Business continuity and disaster recovery project plan

Those of you familiar with project planning know that the project program itself volition be comprised of several major elements. The first element includes the various project definitions, which we've covered at length in this chapter. The project parameters (scope, budget, schedule, quality) should be defined; the projection requirements must be delineated, so they autumn inside the projection'south parameters. One time the project definition stage is complete, yous create your WBS. As y'all know, the WBS defines all the major and modest tasks of the project that, when taken equally a whole, describe the total amount of piece of work in the project, or the project telescopic. The WBS we're using as the framework for this book and for our BC/DR plan is as follows:

one.

Project Definition

2.

Take chances Assessment

3.

Business organization Impact Assay

4.

Run a risk Mitigation Strategies

5.

Program Development

6.

Emergency Grooming

7.

Training, Testing, Auditing

8.

Plan Maintenance

We introduced this visual aid at the commencement of the volume and once more at the outset of this chapter. Nosotros'll keep to reference our progress in this book according to this framework, as shown in Figure 3.6. Y'all'll see this figure throughout the book to provide a visual reference for where nosotros are and what's coming upwards next.

Figure 3.6. Business continuity and disaster recovery project plan progress.

Project definition, risk cess

We've discussed project definition at length in this chapter, and we've also linked it to the risk assessment to exist discussed in detail in Chapter 4. The risk assessment is the phase in which all potential risks to the concern are listed so evaluated both for likelihood of occurrence and impact in the issue of an occurrence. As a company and equally a project team, you'll need to create a cut-off point so that risks that fall below the line are non addressed. This is one way the scope (and as a event, the budget and schedule) of the project is managed. We'll look at how to perform this phase of project work in the adjacent chapter.

Business impact assay

Concern impact analysis, covered in detail in Chapter 5, looks at how the business concern would exist impacted if the major risks were to occur. In order to make this process productive, it occurs after the adventure cess so that only the risks that autumn higher up the cutoff point, or above the risk line, are addressed. This, too, contributes to your ability to manage the scope, upkeep, and schedule of the project.

Run a risk mitigation strategies

Tying the risks with the business impact analysis together yields your BC/DR priorities. Clearly, y'all want to address just risks that have a high likelihood of occurrence and a medium to loftier impact should they occur. If a run a risk has a low risk of occurrence and it would have a low impact on your business, you may choose to non plan for that item hazard. Every company has to brand that call individually—there is no single correct answer, though there are real-world limitations to the value of planning as well far down the risk/touch on ladder. It probably isn't of any do good to spend 2 weeks and 300 staff hours planning for something that probably won't happen, and if information technology did happen, would bear on just 16 of your company's 1400 employees and none of your company'south top 100 clients. In Chapter six, nosotros'll look at how to develop strategies to manage the run a risk including ideas on how to reduce, avoid, and transfer risk.

Plan development

Once you've assessed your take chances and the impact of those risks, and adult strategies for mitigating those risks, you lot'll need to beginning working on putting those strategies into activity. That means developing a set of tasks that volition deliver the required results. Program development will include creating the project plan'southward WBS tasks related to actual BC/DR activities (equally opposed to plan activities) as well as all owners, deliverables, and success criteria. We'll look at this in Chapter seven in item.

Emergency preparation

Role of every BC/DR project programme should exist the actual emergency preparations that a company should undertake, and we'll wait at this in detail in Chapter 8. If your job is limited to IT-related functions, you might find that your function here is limited. Emergency preparations include the specific steps to take in the immediate aftermath of a disaster and the definition of when business continuity activities should begin. Though this might be outside the scope of your responsibilities or authority, we'll encompass the basics and then you tin be a knowledgeable contributor to the overall BC/DR planning procedure. If your job as the projection manager for this BC/DR project includes all aspects of BC/DR planning, and so this section will aid you lot rally the resources you lot need to create an effective emergency response program.

Training, testing, auditing

Affiliate ix covers the tasks you'll need to include in your BC/DR project plan related to training staff for emergency response and for implementing the BC/DR programme should that be necessary. Testing is something all It professionals are familiar with, and this takes on significance when you await at testing from the BC/DR perspective. Finally, you'll need to audit and assess strategies afterward you've trained staff and tested the plan. This is role of the iterative process you lot'll use throughout the project direction process. It is here where you lot discover cardinal gaps or broken processes; it is hither you have the opportunity to fix these gaps, errors, and omissions so that your BC/DR programme is as solid as possible within the given constraints of the system.

Plan maintenance

As we've discussed, an out-of-date plan is sometimes worse than no plan at all because it allows staff across the organization to make assumptions well-nigh BC/DR readiness that may simply be wrong. If your plan was crafted several years ago, there's a high likelihood it is no longer current. If y'all take a plan that you believe may be relatively current, you lot can short-track some of your planning processes by reviewing the programme confronting the steps delineated throughout this book. For example, you may choose to perform the hazard assessment and business organisation impact analysis with fresh eyes then compare the results to the plan y'all have. If at that place are significant gaps or disconnects, you may choose to chip the old plan altogether or change, update, and test the existing plan. The option is yours. Whichever path you cull, whether you have an existing plan or are creating one for the beginning time, you should build in tasks that allow the programme to be periodically reviewed and updated. In Affiliate 10, we'll discuss some of the methods companies use to do this so that y'all can create a maintenance plan for your BC/DR programme that makes sense for the way you do business today and in the future.

Real World

Perfect Earth vs. Reality

Throughout this book, we'll discuss perfect-globe scenarios as well as real-world realities. Project planning rarely follows the prescribed methods, timelines, and guild nosotros've discussed. It's useful to empathize best practices and preferred methods so that you tin strive to mirror those in your work. Yet, it'due south highly likely that there are 1 or more than mitigating factors that come into play with your project planning process. To presume that things will follow the divers order and work out perfectly is to prepare yourself up for disappointment and failure. The goal should be to strive to follow the predefined processes and steps to the greatest degree possible and to diverge from those only with intent and conscious selection. Anytime you find yourself diverging from all-time practices, make sure you lot ask yourself if this is by blow, by choice, or by necessity. That should help proceed your project on rail while still giving you the flexibility to deal with the specifics of your organization. As long as you lot're aware that yous're taking a side road or alternate path, y'all tin can still arrive at the same destination. It's when you lot shut your optics and hit the gas pedal that you're likely to get yourself (and your projection) into trouble.

Read full chapter

URL:

https://www.sciencedirect.com/science/article/pii/B9780124105263000039

Domain six

Eric Conrad , in Eleventh Hour CISSP, 2011

Developing a BCP/DRP

Developing a BCP/DRP is vital for an organization'south ability to respond and recover from an intermission in normal business organisation functions or from a catastrophic event. To ensure that all planning has been considered, the BCP/DRP has a specific set of requirements to review and implement. Listed next are the high-level steps, according to NIST 800-34, involved in achieving a sound, logical BCP/DRP. (NIST 800-34 is the National Institute of Standards and Technologies Information Engineering science Contingency Planning Guide, which tin exist plant at http://csrc.nist.gov/publications/nistpubs/800-34-rev1/sp800-34-rev1.pdf . 2 )

Project initiation

Project scoping

Business impact analysis

Preventive controls identification

Recovery strategy

Programme design and development

Implementation, training, and testing

BCP/DRP maintenance

Projection initiation

To develop the BCP/DRP, the scope of the project must be adamant and agreed on.

Fast Facts

Projection Initiation involves seven distinct milestones every bit quoted here 3 :

1.

Develop the contingency planning policy statement: A formal department or agency policy provides the authorization and guidance necessary to develop an effective contingency plan.

two.

Conduct the business impact assay (BIA): The BIA helps to identify and prioritize critical IT systems and components. A template for developing the BIA is also provided to help the user.

iii.

Place preventive controls: Measures taken to reduce the furnishings of system disruptions can increment arrangement availability and reduce contingency life cycle costs.

4.

Develop recovery strategies: Thorough recovery strategies ensure that the system may be recovered apace and effectively following a disruption.

five.

Develop an It contingency plan: The contingency program should contain detailed guidance and procedures for restoring a damaged system.

half dozen.

Plan testing, training, and exercises: Testing the plan identifies planning gaps, whereas grooming prepares recovery personnel for program activation; both activities improve plan effectiveness and overall bureau preparedness.

seven.

Plan maintenance: The program should be a living document that is updated regularly to remain current with system enhancements.

Assess critical state

Assessing the critical state can be difficult considering determining which pieces of the Information technology infrastructure are critical depends solely on how a piece supports users within the organization. For example, without consulting all users, a elementary mapping program may not seem to be a critical asset for an organization. However, if there is a user grouping that makes deliveries, this mapping software may be required for scheduling them.

Conduct Business Impact Analysis

The Business Touch Analysis (BIA) is the formal method for determining how a disruption to the organisation'southward IT organization(s) volition affect the organization's requirements, processes, and interdependencies with respect to the business concern mission. 4 BIA identifies and prioritizes critical IT systems and components, enabling the BCP/DRP project manager to fully characterize It contingency requirements and priorities. 5 The objective is to correlate each It organization component with the critical service it supports. The BIA also aims to quantify the consequence of a disruption to the component and how that will touch the organization. The primary goal is to make up one's mind the Maximum Tolerable Downtime (MTD) for a specific Information technology asset. This volition directly affect the choice of disaster recovery solution.

Exam Warning

The BIA comprises two processes. First, identification of critical assets; second, a comprehensive risk assessment.

Identify disquisitional assets

The critical nugget list contains IT assets that are deemed business-essential by the organization. These avails' DRP/BCP must accept the best available recovery capabilities assigned to information technology.

Bear BCP/DRP-focused risk assessment

The BCP/DRP-focused take a chance assessment determines which risks are inherent to which Information technology avails. A vulnerability analysis is also conducted for each IT organisation and major application considering near traditional BCP/DRP evaluations focus on physical security threats, both natural and man.

Determine maximum tolerable downtime

The primary goal of the BIA is to determine the Maximum Tolerable Downtime (MTD), which describes the total time a organization can be inoperable before the affect on the organisation becomes severe. Information technology is the maximum fourth dimension information technology takes to complete the reconstitute stage. Reconstitution is the process of moving an organization from disaster recovery to normal business organisation operations.

Maximum Tolerable Downtime comprises two metrics: the Recovery Time Objective (RTO) and Piece of work Recovery Fourth dimension (WRT) (to be discussed).

Alternate terms for MTD

Depending on the business continuity framework, terms that may exist substituted for Maximum Tolerable Reanimation include Maximum Allowable Downtime (MAD), Maximum Tolerable Outage (MTO), and Maximum Acceptable Outage (MAO).

Failure and recovery metrics

A number of metrics are used to quantify how frequently systems fail, how long a organization may be in a failed state, and the maximum time to recover from failure. They include Recovery Betoken Objective, Recovery Fourth dimension Objective, Piece of work Recovery Time, Mean Time Between Failures, Hateful Fourth dimension to Repair, and Minimum Operating Requirements.

Recovery Point Objective

The Recovery Point Objective (RPO) is the level of information/piece of work loss or organisation inaccessibility (measured in time) resulting from a disaster or disruptive event that an organisation can withstand.

If yous perform weekly backups, someone fabricated a decision that your company could tolerate the loss of a week's worth of data. If backups are performed on Saturday evenings and a system fails on Saturday afternoon, that week's worth of data is gone. This is the recovery point objective. In this case, the RPO is one week. 6

Recovery Time Objective and Piece of work Recovery Time

The Recovery Time Objective (RTO) describes the maximum time allowed to recover business or IT systems. Also chosen systems recovery time, it is one part of Maximum Tolerable Downtime: Once the arrangement is physically running, it must be configured.

Crunch Time

Work Recovery Time (WRT) describes the time required to configure a recovered system. "Downtime consists of two elements, the systems recovery time and the work recovery fourth dimension. Therefore, MTD = RTO + WRT." 7

Hateful Time between Failures

Hateful Time between Failures (MTBF) quantifies how long a new or repaired system volition run earlier failing. It is typically generated by a component vendor and is largely applicable to hardware equally opposed to applications and software.

Mean Time to Repair

Hateful Time to Repair (MTTR) describes how long it will have to recover a specific failed organisation. It is the all-time guess for reconstituting the It system to achieve business continuity.

Minimum Operating Requirements

Minimum Operating Requirements (MOR) describe the minimum ecology and connectivity requirements for computer equipment to operate. It is important to certificate the MOR for each Information technology critical asset because, in the event of a disruptive issue or disaster, proper analysis tin can exist conducted quickly to make up one's mind if the asset will be able to role in the emergency environment.

Place preventive controls

Preventive controls prevent the potential touch on of disruptive events. For case, as stated in Chapter 4, HVAC systems are designed to prevent figurer equipment from overheating and failing.

Did you Know?

The BIA volition identify risks that may be mitigated immediately. This is some other reward of performing BCP/DRP, including the BIA: Information technology improves your security, even if no disaster occurs.

Recovery strategy

Once the BIA is consummate, the BCP team knows the Maximum Tolerable Downtime. This metric, every bit well every bit Recovery Point Objective, Recovery Time Objective, and others, make up one's mind the recovery strategy. A cold site cannot exist used if the MTD is 12 hours, for instance. As a general rule, the shorter the MTD, the more expensive the recovery solution.

Redundant site

A redundant site is an exact product duplicate of a system which has the capability to seamlessly operate all necessary IT operations without loss of services to the system'southward end user. It receives data backups in real time so that in the event of a disaster, users endure no loss of data availability. A redundant site is configured exactly like the primary site and is the virtually expensive recovery option because it effectively more than doubles the price of IT operations.

Hot site

A hot site is a data center to which an organization may relocate following a major disruption or disaster. Information technology is equipped with a raised floor, power, utilities, calculator peripherals, and fully configured computers. The hot site will have all necessary hardware and disquisitional applications data mirrored in real time. Information technology allows the system to resume critical operations inside a very short period of time—sometimes less than an hour.

Information technology is of import to annotation the difference between a hot and a redundant site. Hot sites can speedily recover critical IT functionality, maybe fifty-fifty in minutes instead of hours. However, a redundant site appears to the stop user as operating normally no matter what the state of operations for the It programme. A hot site has all of the physical, technical, and administrative controls implemented at the production site.

Warm site

A warm site has some aspects of a hot site—for example, readily accessible hardware and connectivity—but it must rely on backup data in order to reconstitute a system afterward a disruption. A warm site, as well, is a data center with a raised floor, power, utilities, computer peripherals, and fully configured computers.

Cold site

A cold site is the least expensive recovery solution. It does not include backup copies of information nor does it contain any immediately available hardware. After a disruptive event, a common cold site takes the longest fourth dimension of all recovery solutions to be implemented and to restore critical Information technology services. Especially in a disaster area, information technology may have weeks to obtain and install vendor hardware. Organizations using this recovery solution will thus accept to be able to withstand a significantly long MTD—usually measured in weeks, not days. A typical cold site data heart has a raised floor, power, utilities, and physical security, just not much beyond that.

Reciprocal agreement

Reciprocal agreements are bi-directional arrangements between ii organizations in which i promises the other that the latter tin move in and share space in the wake of a disaster. Such agreements are documented in the form of a contract written to proceeds back up in a disaster from outside organizations. They are also referred to every bit Common Aid Agreements (MAAs) and are structured so that the parties will assist the other in an emergency.

Mobile site

Mobile sites are "data centers on wheels"—that is, towable trailers that comprise racks of calculator equipment every bit well as HVAC, fire suppression, and concrete security. They are a practiced fit for disasters such as a flood, where the data middle is damaged but the rest of the facility and surrounding property are intact. They may be towed onsite, supplied power and network, and brought online.

Related plans

Equally discussed previously, the Business concern Continuity Plan is an umbrella that covers other plans. In add-on to the disaster recovery program, these include

Continuity of Operations Program (COOP)

Business Resumption/Recovery Plan (BRP)

Continuity of Support Plan

Cyber Incident Response Program

Occupant Emergency Plan (OEP)

Crisis Management Programme (CMP)

Table 6.2, from NIST Special Publication 800-34, eight provides a summary.

Table vi.ii. Summary of BCP Plans

Phone call trees

A key tool for staff communication in the Crisis Communications Programme is the call tree, which is used to chop-chop communicate news throughout an organization without overburdening whatsoever one employee. The call tree works by assigning each employee a modest number of other employees whom they must call in an emergency. For example, the president may notify his board of directors of an emergency situation and they, in turn, notify their top-tier managers. The top-tier managers so notify the subordinates they have been assigned. The call tree continues until all affected personnel accept been contacted.

Read full affiliate

URL:

https://www.sciencedirect.com/science/article/pii/B9781597495660000060